Bug 676911 - SSSD attempts to use START_TLS over LDAPS for authentication
Summary: SSSD attempts to use START_TLS over LDAPS for authentication
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Red Hat Enterprise Linux 6
Classification: Red Hat
Component: sssd
Version: 6.0
Hardware: Unspecified
OS: Unspecified
unspecified
urgent
Target Milestone: rc
: ---
Assignee: Stephen Gallagher
QA Contact: Chandrasekar Kannan
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2011-02-11 19:55 UTC by Stephen Gallagher
Modified: 2015-01-04 23:46 UTC (History)
5 users (show)

Fixed In Version: sssd-1.5.1-6.el6
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2011-05-19 11:38:36 UTC
Target Upstream Version:

Attachments (Terms of Use)
Add an attachment (proposed patch, testcase, etc.)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2011:0560 0 normal SHIPPED_LIVE Low: sssd security, bug fix, and enhancement update 2011-05-19 11:38:17 UTC

Description Stephen Gallagher 2011-02-11 19:55:33 UTC 
Description of problem:
SSSD always attempts to use the START_TLS function when performing LDAP auth. However, some LDAP servers (especially those sitting behind SSL accelerators) cannot handle TLS over LDAPS. This prevents authentication from succeeding on those platforms.

Version-Release number of selected component (if applicable):
sssd-1.2.1-28.el6_0.4

How reproducible:
Proof that this is happening is easily seen in the debug logs, however the auth failure requires a fairly complicated configuration.

Steps to Reproduce:
1. Configure SSSD with ldap_uri = ldaps://ldap.example.com and auth_provider = ldap
2. Set DEBUG logs to level 4 or higher (debug_level = 4)
3. Perform an LDAP user login through SSSD.
  
Actual results:
Logs include a line like:
(Fri Feb 11 14:27:08 2011) [sssd[be[default]]] [sdap_connect_send] (4):
Executing START TLS

Expected results:
SSSD should not attempt to start TLS.

Additional info:
Extensive mailing list thread on sssd-devel:
https://fedorahosted.org/pipermail/sssd-devel/2011-February/005651.html
Comment 3 Gowrishankar Rajaiyan 2011-04-06 12:05:12 UTC 
No more "Executing START TLS" message logged in the domain logs while authenticating against ldaps.

Snippet from /var/log/sssd/sssd_default.log:
(Wed Apr  6 16:40:17 2011) [sssd[be[default]]] [auth_resolve_done] (8):
[ldaps://sssdldap.redhat.com:636] is a secure channel. No need to run START_TLS

Verified.

# rpm -qi sssd | head
Name        : sssd                         Relocations: (not relocatable)
Version     : 1.5.1                             Vendor: Red Hat, Inc.
Release     : 24.el6                        Build Date: Sat 02 Apr 2011 01:24:54 AM IST
Install Date: Tue 05 Apr 2011 11:11:29 AM IST      Build Host: x86-012.build.bos.redhat.com
Group       : Applications/System           Source RPM: sssd-1.5.1-24.el6.src.rpm
Size        : 3462740                          License: GPLv3+
Signature   : (none)
Packager    : Red Hat, Inc. <http://bugzilla.redhat.com/bugzilla>
URL         : http://fedorahosted.org/sssd/
Summary     : System Security Services Daemon
Comment 4 errata-xmlrpc 2011-05-19 11:38:36 UTC 
An advisory has been issued which should help the problem
described in this bug report. This report is therefore being
closed with a resolution of ERRATA. For more information
on therefore solution and/or where to find the updated files,
please follow the link below. You may reopen this bug report
if the solution does not work for you.

http://rhn.redhat.com/errata/RHSA-2011-0560.html
Comment 5 errata-xmlrpc 2011-05-19 13:09:31 UTC 
An advisory has been issued which should help the problem
described in this bug report. This report is therefore being
closed with a resolution of ERRATA. For more information
on therefore solution and/or where to find the updated files,
please follow the link below. You may reopen this bug report
if the solution does not work for you.

http://rhn.redhat.com/errata/RHSA-2011-0560.html
Note You need to log in before you can comment on or make changes to this bug.